Get 100 US$ for 25 minutesJoin Our Remote Atlassian Forge Market Research Study
Forge Opportunities

Cloud Fortified versus Runs on Atlassian: Understanding the Difference

Matthias Rauer
#Forge#Security#Compliance#Runs on Atlassian#Cloud Fortified
A screenshot of the Cloud Fortified and Runs on Atlassian filters

The Atlassian Marketplace is the central hub for extensions for Jira, Confluence, and other Atlassian products. Thousands of apps are available — from specialized mini-tools to comprehensive extensions for large enterprise scenarios. Anyone looking for suitable functionality will find a huge range of solutions here.

To keep this variety manageable, the Marketplace offers filters not only by products and use cases but also by technical and security-relevant criteria. In this article, we’ll take a closer look at two important labels: Cloud Fortified and the new Runs on Atlassian program. How do these two labels differ? Do they complement each other—or are they in competition?

Cloud Fortified: for the highest security and support standards

Cloud Fortified apps are designed for companies with high requirements for security, reliability, and support availability. To receive the Cloud Fortified label, providers must meet strict criteria:

  1. Security programs: The app must participate in the Atlassian Bug Bounty Program — an ongoing, collaborative security process where ethical hackers can report vulnerabilities. Additionally, a detailed Privacy & Security Tab must be available, providing transparency about data protection, encryption, access controls, and other security practices.

  2. Availability and reliability: Cloud Fortified apps must demonstrate clearly defined Service Level Objectives (SLOs) — such as availability, performance, and latency. A documented incident management process is also mandatory to ensure structured and rapid response in case of emergencies.

  3. Binding support: A clearly named support channel (e.g., a Service Desk) must be established and indicated in the Marketplace listing. For urgent, critical inquiries, a maximum response time of 24 hours is guaranteed.

Cloud Fortified apps thus offer a high level of security and stability with reliable, fast support structures.

Runs on Atlassian: full integration into the Atlassian Cloud

The new Runs on Atlassian label will be gradually introduced to the Marketplace starting in summer 2025. It identifies apps that operate entirely within the Atlassian cloud infrastructure — without external hosting or server components.

What does this mean specifically?

  1. Full Atlassian hosting: The app runs exclusively in the infrastructure provided by Atlassian - including operation, maintenance, and scaling. For admins, this means less operational complexity, as Atlassian assumes full hosting responsibility.

  2. No data egress: Data remains completely within the Atlassian environment. There is no flow of application or user data to third-party servers. You can also completely prevent the transmission of tracking or analytics data. Companies thus retain full control over their data.

  3. Support for Data Residency: Runs on Atlassian apps automatically adopt the Data Residency settings of the respective Atlassian product. For example, if you have restricted your Atlassian instance to a specific EU location, this also applies to the corresponding app — without additional configuration.

The Runs on Atlassian label provides additional security, reduces compliance effort, and makes it easier for IT departments to technically evaluate apps.

Does Runs on Atlassian replace the Cloud Fortified label?

Clearly: No. The two labels have different focuses and complement each other rather than compete.

Cloud Fortified stands for robust security, availability, and support standards.

Runs on Atlassian additionally represents the binding promise that no data will flow out and that the app supports the data residency settings of the Atlassian product.

There are many apps on the Marketplace that deliberately do not participate in the Runs on Atlassian program—for instance, because they need to enable external integrations or have special technical requirements. These apps are by no means less secure—many meet the strict requirements of the Cloud Fortified label and offer a correspondingly high level of security.

Scenarios where Runs on Atlassian is important

In practice, it always depends on your specific use case, and from case to case, Runs on Atlassian serves as a helpful additional criterion that can support a wise decision.

Let’s imagine that you want to extend an Atlassian product with a new function that’s important for your teams, and you’re evaluating between two apps with similar functionalities, one of which bears the Runs on Atlassian seal and the other doesn’t.

If your company needs to meet high compliance and data protection requirements, in such a specific case, the app with the Runs on Atlassian seal would probably be the better choice, as it implements an additional security layer. It may not be relevant for every company, but for other organizations with stricter requirements, it might be the deciding factor.

Conclusion

The differentiation between Cloud Fortified and Runs on Atlassian is not a simple either-or decision - but a question of priorities. Both labels help you make informed decisions.

The good news: In the Atlassian Marketplace, there is a suitable, verified solution for almost every scenario. And with increasing transparency through programs like Cloud Fortified and Runs on Atlassian, app selection for teams of any size becomes even easier, more transparent, and more secure.

← Back to Blog